<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Nathan and Sebastien,
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m interested in testing the revived Kerberos support in Lustre. I’d like to understand how you tested this feature and suggested best practices on setting
up the Kerberos environment for use with Lustre. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ve looked in Jira and can’t find a test plan for Kerberos. Do you have a test plan and would you please share it?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ve looked over all the patches for the Kerberos Revival ticket and don’t see any new tests added by these patches. Does this mean that the existing Kerberos
tests in sanity-krb5 still work and test the feature thoroughly? If not, would you please submit a patch adding new tests?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thank you,
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">James<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> lustre-devel [mailto:lustre-devel-bounces@lists.lustre.org]
<b>On Behalf Of </b>Nathan Rutman<br>
<b>Sent:</b> Tuesday, April 21, 2015 1:47 PM<br>
<b>To:</b> Sebastien Buisson; Andrew Perepechko<br>
<b>Cc:</b> iudev@lists.opensfs.org; lustre-devel@lists.lustre.org<br>
<b>Subject:</b> Re: [lustre-devel] [Iudev] proposed version change for PTLRPC GSS<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi Sebastien -<o:p></o:p></p>
<div>
<p class="MsoNormal">thanks for pushing this forward. At this point, I want to make sure that we have the "union" of all the Kerberos fixes from Bull and Seagate on track for landing. I know you're already working with Andrew but if there's anything else that
you need from Seagate please let me know.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b>--</b><o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt">Nathan Rutman · <span style="color:#666666">Principal Systems Architect</span><br>
<span style="color:#0B5394">Seagate Technology</span> · </span></b><span style="font-size:7.5pt">+1 503 877-9507<b> ·
</b>GMT-8</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Apr 16, 2015 at 11:38 AM, Sebastien Buisson <<a href="mailto:sebastien.buisson@atos.net" target="_blank">sebastien.buisson@atos.net</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Hi Nathan,<br>
<br>
All the Kerberos related patches that are not landed yet are:<br>
LU-3778:<br>
<a href="http://review.whamcloud.com/14040" target="_blank">http://review.whamcloud.com/14040</a><br>
LU-6356:<br>
<a href="http://review.whamcloud.com/14349" target="_blank">http://review.whamcloud.com/14349</a><br>
<a href="http://review.whamcloud.com/14041" target="_blank">http://review.whamcloud.com/14041</a><br>
<a href="http://review.whamcloud.com/14042" target="_blank">http://review.whamcloud.com/14042</a><br>
<a href="http://review.whamcloud.com/14404" target="_blank">http://review.whamcloud.com/14404</a><br>
<br>
They can all possibly impact the work done on Shared Key feature, this is why I was proposing that have them merged as soon as possible.<br>
<br>
Best regards,<br>
Sebastien.<br>
<br>
<br>
Le 16/04/2015 12:22, Nathan Rutman a écrit :<o:p></o:p></p>
<p class="MsoNormal">Sebastien, do these patches represent all the merged Kerberos changes?<br>
Or can these be landed independently of the others?<br>
<br>
<br>
*--*<br>
*Nathan Rutman · Principal Systems Architect<br>
Seagate Technology** · *<a href="tel:%2B1%20503%20877-9507" target="_blank">+1 503 877-9507</a>* · *GMT-8<br>
<br>
On Fri, Mar 27, 2015 at 1:45 AM, Sebastien Buisson<br>
<<a href="mailto:sebastien.buisson@atos.net" target="_blank">sebastien.buisson@atos.net</a> <mailto:<a href="mailto:sebastien.buisson@atos.net" target="_blank">sebastien.buisson@atos.net</a>>> wrote:<br>
<br>
Re-emitting because of issues with my email address.<br>
--------<br>
<br>
Hi,<br>
<br>
As I understand the need for evolutions in the GSS code, I advocate<br>
the review and merge of all patches related to Kerberos revival as<br>
soon as possible. It would avoid painful rebase of work done by IU,<br>
or Kerberos patches, or both.<br>
The Kerberos revival patches waiting for review are:<br>
<a href="http://review.whamcloud.com/__14040" target="_blank">http://review.whamcloud.com/__14040</a> <<a href="http://review.whamcloud.com/14040" target="_blank">http://review.whamcloud.com/14040</a>><br>
<a href="http://review.whamcloud.com/__14041" target="_blank">http://review.whamcloud.com/__14041</a> <<a href="http://review.whamcloud.com/14041" target="_blank">http://review.whamcloud.com/14041</a>><br>
<a href="http://review.whamcloud.com/__14042" target="_blank">http://review.whamcloud.com/__14042</a> <<a href="http://review.whamcloud.com/14042" target="_blank">http://review.whamcloud.com/14042</a>><br>
<br>
Best regards,<br>
Sebastien.<br>
<br>
<br>
Le 25/03/2015 22:25, Dilger, Andreas a écrit :<br>
<br>
Sebastien,<br>
can you please also add <a href="mailto:lustre-devel@lists.lustre.org" target="_blank">
lustre-devel@lists.lustre.org</a><br>
<mailto:<a href="mailto:lustre-devel@lists.lustre.org" target="_blank">lustre-devel@lists.lustre.org</a>> to the CC list for<br>
this discussion.<br>
<br>
On 2015/03/24, 3:12 AM, "Sebastien Buisson"<br>
<<a href="mailto:sebastien.buisson@atos.net" target="_blank">sebastien.buisson@atos.net</a> <mailto:<a href="mailto:sebastien.buisson@atos.net" target="_blank">sebastien.buisson@atos.net</a>>><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
wrote:<br>
<br>
Hi there,<br>
<br>
I agree we should not bother with backward compatibility.<br>
Kerberos<br>
revival patches aim at Lustre 2.8, so we are good if the<br>
modifications<br>
you propose also land in 2.8.<br>
<br>
Taking advantage of the opportunity to replace<br>
handle_nullreq with<br>
subflavor specific code is really nice, as those bits are really<br>
confusing for someone who tries to understand the code.<br>
<br>
Cheers,<br>
Sebastien.<br>
<br>
<br>
Le 24/03/2015 02:34, Jeremy Filizetti a écrit :<br>
<br>
On the phone call last week we discussed an increment of the<br>
PTLRPC_GSS_VERSION to version 2 to allow some changes<br>
changes/restructuring. No one had any objections on the<br>
phone call but<br>
I wanted to send it out for wider distribution and feedback.<br>
<br>
Changing the request format would allow us to support<br>
larger GSS token<br>
sizes which today are limited (see ticket LU-3855).<br>
From what I have<br>
looked through so far the following seems to allow for<br>
larger tokens and<br>
also allow some of these changes without having to worry<br>
about backwards<br>
compatibility since it was never really "working" anyways.<br>
<br>
Change PTLRPC_GSS_VERSION to 2<br>
<br>
Enlarge GSS_CTX_INIT_MAX_LEN to something larger then<br>
1024. Ideally we<br>
would support MaxTokenSize of 64k for the largest active<br>
directory<br>
ticket: (see<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <a href="http://blogs.technet.com/b/__shanecothran/archive/2010/07/__16/maxtokensize-a" target="_blank">
http://blogs.technet.com/b/__shanecothran/archive/2010/07/__16/maxtokensize-a</a><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<<a href="http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-a" target="_blank">http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-a</a>><br>
nd-kerberos-token-bloat.aspx).<br>
The purpose of enlarging this is to support larger<br>
tokens. The<br>
sizeof(struct rsi) needs to remain under PAGE_SIZE right<br>
now with<br>
rsi_request calling sunrpc_cache_pipe_upcall. Since<br>
there is only one<br>
lsvcgssd process supposed to be running maybe it would<br>
be acceptable to<br>
use larger requests and just slightly modify rsi_request<br>
to incorporate<br>
must of the functionality of sunrpc_cache_pipe_upcall.<br>
<br>
To keep things simple with the lsvcgssd and continue to<br>
use a single<br>
channel proc file interface I'd like to AND the GSS<br>
subflavor onto most<br>
significant bits of lustre_svc in struct rsi. Instead<br>
of calling the<br>
inappropriately named handle_nullreq things would be<br>
changed to handle<br>
the multiple subflavors (gssnull, sk, krb5). gssnull<br>
and sk won't have<br>
a full userspace component so gss_accept_sec_context<br>
can't be called.<br>
<br>
Thoughts welcome. I'm sure I missed something along the<br>
way here but<br>
this is just what I have looked at so far.<br>
<br>
Thanks,<br>
Jeremy<br>
<br>
<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> _________________________________________________<br>
Iudev mailing list<br>
<a href="mailto:Iudev@lists.opensfs.org" target="_blank">Iudev@lists.opensfs.org</a> <mailto:<a href="mailto:Iudev@lists.opensfs.org" target="_blank">Iudev@lists.opensfs.org</a>><br>
<a href="http://lists.opensfs.org/__listinfo.cgi/iudev-opensfs.org" target="_blank">
http://lists.opensfs.org/__listinfo.cgi/iudev-opensfs.org</a> <<a href="http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org" target="_blank">http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org</a>><br>
<br>
_________________________________________________<br>
Iudev mailing list<br>
<a href="mailto:Iudev@lists.opensfs.org" target="_blank">Iudev@lists.opensfs.org</a> <mailto:<a href="mailto:Iudev@lists.opensfs.org" target="_blank">Iudev@lists.opensfs.org</a>><br>
<a href="http://lists.opensfs.org/__listinfo.cgi/iudev-opensfs.org" target="_blank">
http://lists.opensfs.org/__listinfo.cgi/iudev-opensfs.org</a><br>
<<a href="http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org" target="_blank">http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org</a>><br>
<br>
<br>
<br>
Cheers, Andreas<br>
<br>
_________________________________________________<br>
Iudev mailing list<br>
<a href="mailto:Iudev@lists.opensfs.org" target="_blank">Iudev@lists.opensfs.org</a> <mailto:<a href="mailto:Iudev@lists.opensfs.org" target="_blank">Iudev@lists.opensfs.org</a>><br>
<a href="http://lists.opensfs.org/__listinfo.cgi/iudev-opensfs.org" target="_blank">
http://lists.opensfs.org/__listinfo.cgi/iudev-opensfs.org</a><br>
<<a href="http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org" target="_blank">http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org</a>><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Iudev mailing list<br>
<a href="mailto:Iudev@lists.opensfs.org" target="_blank">Iudev@lists.opensfs.org</a><br>
<a href="http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org" target="_blank">http://lists.opensfs.org/listinfo.cgi/iudev-opensfs.org</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>